Web Browser Security - June 4, 2018

posted on Thursday, May 17, 2018

Web Browser Security - June 4, 2018

BankORION takes the security and privacy of customers very seriously. Due to industry-wide recommendations and requirements for securing web browser sessions, support for any early SSL/TLS versions below TLS v1.2 will be disabled June 4, 2018.

What does this mean for BankORION's website?

As of June 4, 2018, any https:// requests coming from non-supported (old) browsers will be denied. The "handshake" between the browser request and server will not happen, so you will see nothing (in most cases) besides a blank white page. Below are the minimum requirements for the most common supported modern browsers, or you can view a full matrix here.

Microsoft Edge, released in 2015

Mozilla Firefox 27, released in 2014

Internet Explorer 11, released in 2013

Google Chrome 30, released in 2013

Safari 7, released in 2013

iOS 5, released in 2011

The push towards enforcing these standards has been in the works for many years, which means only a very small fraction of all internet traffic falls outside of these required versions. If you still have an old browser, you will likely have issues accessing a multitude of other sites as the June 30th deadline approaches.

What happens next?

First off, there is nothing you need to do on your end to make this change. BankORION's server update will be made during off-peak maintenance hours and downtime will be limited to how long it takes for the server to reboot which is normally only a few minutes. You can use this third party tool to check your browser compatibility. You may want to work with your internet provider if you have any questions.

What is SSL/early TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems (often known as HTTPS). It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.

What is the risk of using SSL/early TLS?

There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.

In addition to the documented vulnerabilities, standards bodies such as the Payment Cards Industry Security Standards Council (PCI SSC) and the National Institute of Standards and Technology (NIST) have set deadlines and recommendations for disabling these protocols. In order for websites that accept credit card payments to be compliant; PCI SSC requires that sites use a minimum of TLS 1.1, with TLS 1.2 recommended by June 30, 2018, and NIST requires at least TLS 1.2. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. We are upgrading to a secure alternative and disabling any fallback to both SSL and early TLS.